debsecan

List vulnerable installed packages on the current host

$ debsecan

$ debsecan --suite [release_code_name]

$ debsecan --suite [release_code_name] --only-fixed

$ debsecan --suite [sid] --only-fixed --format [report] --mailto [root] --update-history

$ sudo apt upgrade $(debsecan --only-fixed --format [packages])

debsecan OPTIONS

--update
    Updates the local vulnerability database from the Debian Security Tracker.

--report
    Prints a list of installed packages affected by known vulnerabilities.

--email [ADDRESS]
    Sends the vulnerability report via email to the specified address. If no address is given, it uses the one defined in the configuration file.

--cron
    Automates the update and email reporting process, suitable for daily cron jobs.

--suite SUITE
    Specifies the Debian distribution suite to check against (e.g., stable, oldstable, testing).

--format FORMAT
    Sets the output format for reports (e.g., text, html, json, csv).

--status PACKAGE
    Checks if a specific installed package is vulnerable.

--vulnerability ID
    Reports details for a specific vulnerability ID (e.g., CVE-YYYY-NNNN).

--source PKG
    Checks for vulnerabilities in the source package PKG.

--config FILE
    Specifies an alternative configuration file instead of the default.

--no-daemon
    Prevents debsecan from automatically updating its database when run without --update.

--version
    Displays the version information and exits.

--help
    Shows a help message and exits.

debsecan is a tool designed to help Debian users identify and manage security vulnerabilities affecting the packages installed on their systems. It works by comparing the list of installed packages and their versions against the official Debian Security Advisory (DSA) database, which contains information about known vulnerabilities and their corresponding fixes.

The command can be used to update its local vulnerability database, generate detailed reports of vulnerable packages, and even send these reports via email. It's particularly useful for system administrators and users who need to ensure their Debian systems are protected against known exploits by promptly identifying packages that require security updates. Its integration with cron jobs makes it ideal for automated, regular security checks, providing an ongoing overview of a system's security posture.

debsecan relies on the Debian Security Tracker database, which needs to be regularly updated using --update to reflect the latest vulnerability information.
It only identifies vulnerabilities in official Debian packages; third-party or custom-compiled software is not covered.
The tool reports vulnerabilities but does not automatically fix them. Users must manually apply updates using tools like apt or apt-get.
Network access is required for updating the vulnerability database.

debsecan uses /etc/debsecan/debsecan.conf for persistent configuration settings, including the email address for reports, the default suite, and output format. This file can be modified to customize behavior.

For regular, automated checks, it is recommended to set up a daily cron job (e.g., in /etc/cron.daily/debsecan) executing debsecan --cron. This ensures the vulnerability database is kept current and reports are generated and sent automatically.

debsecan was developed as a dedicated security analysis tool for the Debian GNU/Linux distribution. Its creation aimed to provide a robust and automated way for Debian users and administrators to monitor their systems for known security vulnerabilities, leveraging the comprehensive Debian Security Advisory database. It became a standard utility for maintaining system security posture within the Debian ecosystem, ensuring timely identification of packages requiring security updates.

apt(8), apt-get(8), dpkg(1), cron(8), mail(1)